Powered by AWS

Box’s new service lets users hold on to their own encryption keys

It’s only been a few weeks since Box went public, but the file-sync company with a work-collaboration bent is rolling out a new encryption-key feature to entice big-name companies like the General Electrics of the world who are hesitant to jump to the cloud for security reasons.

Called Box Enterprise Key Management (EKM), the new tool basically allows for users to have full control of their encryption keys while still being able to use the [company]Box[/company] platform. Box will be working with customers to install an encryption appliance from the company SafeNet called a hardware security module (HSM) in both their on-premise data centers as well as in Amazon Web Services, according to a Box blog post by CEO Aaron Levie.

Each file that a customer sends over to his or her Box account gets a unique key “for each version of the file,” which Box then shoots over to the HSM; the appliance then encrypts the file “with the customer’s own key,” Levie wrote. At this point, Levie said that customers now have full control of the encryption key and Box can only access those files with customer approval.

What’s interesting is the role Amazon plays in this, which Levie doesn’t expand too much on in his post. According to a blog post by AWS chief evangelist Jeff Barr, the new feature “is powered by AWS CloudHSM,” which is the service that essentially links the HSM to a customer’s AWS cloud.

From the blog post detailing AWS CloudHSM:
[blockquote person=”” attribution=””]As part of the service, you have dedicated access to HSM capabilities in the cloud. AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. You retain full control of your keys and cryptographic operations on the HSM, while Amazon manages and maintains the hardware without having access to your keys.[/blockquote]

I reached out to Box to elaborate a bit more on the role AWS’s technology plays into this new feature as well as if works across other cloud providers like [company]Google[/company] and [company]Microsoft[/company] and I’ll update this post if I hear back.

The new security tool is now available in beta and should be ready for public consumption this coming spring.

Update – 2:32 PM PT. A Box spokesperson sent us some comments.

Regarding if we will see similar features rolled out for other cloud providers:

[blockquote person=”Box spokesperson” attribution=”Box spokesperson”]We expect that over time other public cloud providers will follow our lead offer customers ability to manage their encryption keys. This may require making similar investments to architect the public cloud service to work with a key managed by the customer. As more cloud providers move to support this model, customers will have an easier time centralizing control over key management across their cloud applications.[/blockquote]

Regarding how the new feature utilizes AWS:
[blockquote person=”Box spokesperson” attribution=”Box spokesperson”]AWS CloudHSM is the hosting partner for the HSMs, that are part of the new Box EKM architecture. We are listening to our customers on their preferences for additional partners.[/blockquote]